Ladies and gentlemen...
Posted: Wed Jul 08, 2009 4:51 pm
... let me introduce you http://fi.php.net/manual/en/function.op ... -bytes.php - the damn simple way to create cryptographically strong random data. 
There's a "strong" parameter that tells us whether a strong algorithm was used. On a Windows 7 x64, lighttpd + OpenSSL enabled developer machine, I was able to pull very high (stronger than /dev/urandom) random data and actually I don't wonder why; it polled my CryptoAPI PRNG directly. In general you will always get very strong results back (even if I shut down CSP on Windows, it uses a hash of my screen and other cool tricks). Windows, Linux, Unix, BSD's, Mac and Solaris will all provide cryptographically strong random data and in general OpenSSL should be available on web servers.
I suggest to use this function and if something went wrong (i.e. you got weak random data), notify the site admin or possibly reject further processing depending on how important the site is. This potential "weak" data (depends on platforms, different algorithms used) still seems to be always stronger than data generated with mt_rand(), for instance.
Just one more reason to use PHP 5.3. I must admit, PHP is becoming quite solid and robust package.
There's a "strong" parameter that tells us whether a strong algorithm was used. On a Windows 7 x64, lighttpd + OpenSSL enabled developer machine, I was able to pull very high (stronger than /dev/urandom) random data and actually I don't wonder why; it polled my CryptoAPI PRNG directly. In general you will always get very strong results back (even if I shut down CSP on Windows, it uses a hash of my screen and other cool tricks). Windows, Linux, Unix, BSD's, Mac and Solaris will all provide cryptographically strong random data and in general OpenSSL should be available on web servers.
I suggest to use this function and if something went wrong (i.e. you got weak random data), notify the site admin or possibly reject further processing depending on how important the site is. This potential "weak" data (depends on platforms, different algorithms used) still seems to be always stronger than data generated with mt_rand(), for instance.
Just one more reason to use PHP 5.3. I must admit, PHP is becoming quite solid and robust package.